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Abstract 

In 1998, M. S. Baptista proposed a chaotic cryptosystem, which has attracted much 
attention from the chaotic cryptography community: some of its modifications and 
also attacks have been reported in recent years. In [Phys. Lett. A 307 (2003) 22], we 
suggested a method to enhance the security of Baptista-type cryptosystem, which 
can successfuhy resist all proposed attacks. However, the enhanced Baptista-type 
cryptosystem has a nontrivial defect, which produces errors in the decrypted data 
with a generally small but nonzero probability, and the consequent error propagation 
exists. In this Letter, we analyze this defect and discuss how to rectify it. In addition, 
we point out some newly-found problems existing in all Baptista-type cryptosystems 
and consequently propose corresponding countermeasures. 
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1 Introduction 



In [1], M. S. Baptista proposed a cliaotic cryptosystem based on partitioning 
the visiting interval of chaotic orbits of the logistic map. After its pubhcation, 
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several modified versions have been proposed [2-7]. On the other hand, some 
attacks have been reported as tools of breaking the original Baptista-type 
cryptosystem and some of its modified versions [8-11]. In this section, we give 
a brief survey on Baptista-type chaotic cryptosystems, including the original 
scheme and some modified versions, and on some proposed attacks. In the 
following sections, we will show some problems of this class of cryptosystems 
and then propose some countermeasures for enhancing its overall performance. 

At first, we give a detailed introduction to the original Baptista-type cryp- 
tosystem, as a basis of the whole Letter. Note that different notations from 
those in [1] are used to make the description simpler and clearer. 

Given a one-dimensional chaotic map F : X ^ X and an interval X' — 
[^^min, 3;inax) Q ^ i divide X' into S e-intervals: Vi = 1 ~ jS", X[ — [xmm + 

{i — 1)£, Xmin + i^)-, where e — '"^ — Assume that plain messages are 
composed by S different characters, ai, • • • , q;^, and use a bijective map, 

/5:X, = {X(,-- - ,X^}^A = {ai,-- ,^5}, (1) 

to associate the S different e-intervals with the -S" different characters. By 
introducing an extra character P^A,we can define a new function : X — > 
A U {(3} as follows: 

Based on the above notations, for a plain- message M = {mi, m2, ■ ■ ■ , m^, • • • } 
(mj G A), the original Baptista-type cryptosystem can be described as follows. 

• The employed chaotic system: the logistic map, F{x) = bx{l — x). 

• The secret key: the association map fs, the initial condition xq and the 
control parameter b of the logistic map. 

• The encryption procedure: a) initialize Xq'^ — Xq] b) encrypt the i-th plain- 
character rrii as follows: iterate the chaotic system from Xq to find a 
chaotic state x satisfying /^(x) = m^, record the iteration number Cj as the 
j^th cipher-message unit and Xq^ = F'^'- {xq~^^^ = F'^'^^'~^^~^""^'-^^{xq). 

• The decryption procedure: for each cipher- message unit C,, iterate the chaotic 
system for Cj times from Xq ^\ and then use Xq ''^ = F^^ (xf^) to derive 

the current plain-character as follows: = f'g (xq^^ . 

• Constraints on Cf each cipher-message unit Cj should satisfy Nq < Ci < 
Nraax {Nq = 250 and A^max = 65532 in [1]). Since there exist many options for 
each Ci in [Nq, A^max], an extra coefficient 77 G [0, 1] is used to choose the right 
number: if rj = 0, Ci is chosen as the minimal number satisfying fs{x) = mi] 
if 77 7^ 0, Ci is chosen as the minimal number satisfying f's{x) = rrii and 
K > r) simultaneously, where k is a pseudo-random number with a normal 
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distribution within the interval [0, 1]. 
The original Baptista-type chaotic cryptosystem has the following four defects. 

(1) The distribution of the ciphertext is non-uniform, and the occurrence 
probability decays exponentially as Q increases from A^o to N^ax (see 
Fig. 3 of [1] and also Fig. 1 of [2]). 

(2) At least A^o chaotic iterations are needed to encrypt a plain-character, 
which makes the encryption speed very slow as compared with most con- 
ventional ciphers. 

(3) The ciphertext size is larger than the plaintext size. 

(4) It is insecure against some different attacks proposed in [8,9], since some 
useful information about the chaotic system can be obtained from the 
ciphertext {Cj}, i.e., the iteration numbers of the chaotic system. 

In recent years, some modifications have been proposed as possible remedies 
for the above defects [2-7]. Meanwhile, cryptanalysis works have also been 
developed to break some modifications [10-12]. 

In [2], the first modified version was proposed to overcome the first defect of 
the original Baptista-type cryptosystem. According to [10,12], this modified 
version is still insecure against the keystream attack proposed in [9]. 

In [3,4], to overcome the second defect, the original Baptista-type cryptosys- 
tem was enhanced by dynamically updating the association map fs- However, 
following the cryptanalysis given in [11], the two modified versions are still 
insecure, since the essential security defect (i.e., the existence of Cj in the 
ciphertext) remains. In [5], utilizing the technique proposed in [3,4], another 
modified version was further proposed to achieve shorter ciphertext. This mod- 
ification has not been cryptanalyzed, but the attacks proposed in [11] may be 
generalized to break it. 

In [6], as a new idea of increasing the security, cycling chaos generated by 
multiple different chaotic attractors is used instead of chaos generated from 
one single chaotic map. Though the use of multiple chaotic maps can effectively 
increase the complexity of some attacks, it seems that the keystream attack 
proposed in [9] may still work to its advantage. 

In [7], we proposed a new modification to essentially enhance the security of 
the original Baptista-type cryptosystem. In this scheme, the original ciphertext 
stream {Cj} is masked by a pseudo-random number stream and then be output 
as the final ciphertext stream. In this case, it is impossible for an attacker to 
get the number of chaotic iterations from the ciphertext, so that all proposed 
attacks will fail. Unfortunately, later we noticed that this modified scheme 
has a nontrivial defect, which produces errors in the decrypted data with a 
generally small but nonzero probability. In the next section, we give more 
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details on this defect and discuss how to rectify it. 

In all the above Baptista-type cryptosystems, there exist some general prob- 
lems that have not been reported before, which can influence the overall per- 
formance of the cryptosystems to some extent. In Sec. 3 of this Letter, we will 
further discuss these problems and provide some corresponding countermea- 
sures. 



2 Rectifying our early-proposed remedy of Baptista-type chaotic 
cryptosystem that can resist all proposed attacks 

2.1 A brief introduction of the enhanced Baptista-type cryptosystem 

Since the occurrence of Ci in the ciphertext stream is the prerequisite of all 
proposed attacks, we can bypass it by concealing Q in the ciphertext stream. 
A natural idea is to secretly mask Q with a pseudo-random number stream. 
It is easy to generate the pseudo-random number stream from the chaotic 
system itself. Given a pseudo-random number generation function fbe{')- using 
© to denote the masking operation, the enhanced Baptista-type cryptosystem 
proposed in [7] can be described as follows (without changing other details of 
the original cryptosystem, such as the constraints on Cj): 

• The encryption procedure: for the i-ih. plain-character m^, iterate the chaotic 
system starting from Xg to find a suitable chaotic state x satisfying 
fs{x) = rrii, record the number of chaotic iterations starting from Xq~^'' 
to X as Ci and Xq'' = x = F^^ {xq Then, the i-ih cipher-message unit 

of rui is Ci = Ci® fbe {xo^y 

• The decryption procedure: for each ciphertext unit Cj, firstly iterate the 
chaotic system for A^o times and set Ci — Nq, then perform the following 

operations: if Ci © fbe{x) = Ci then use the current chaotic state x to derive 
the plain-character rrii and goto the next ciphertext unit Cj+i; otherwise, 
iterate the chaotic system once and Ci -\- -\-, until the above condition is 
satisfied. 

• The selection of fhe{-)- due to the non-uniformity of the ciphertext, it has 
been known that fbe{-) cannot be freely selected to avoid information leak- 
ing. For example, the simplest function fbe{x) = a: is not secure. Two classes 
of such functions are suggested, and both can make information leaking 
impossible. If the distribution of Ci is modified to be uniform with some 
techniques^ , then fbe{-) can freely selected. 

^ As mentioned in [7], two methods are available: the modification proposed in [2] 
and the entropy-based lossless compression technique [13]. 
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2.2 A defect in the above modified Baptista-type cryptosystem 

Although the above modified Baptista-type cryptosystem can resist the at- 
tacks proposed in [8,9], considering © fbe{x) = CI © fbe{x') is possible 
for Ci 7^ C', erroneous plain-characters may be "decrypted" with a generally 
small but nonzero probability: at the decipher side, when Ci®fbe{x) = Ci, the 
restored "Q" may not be the real Ci at the encipher side, so that the restored 
chaotic state x is wrong and, as a result, the decrypted plain-character is also 
wrong. 

At first, let us see how serious this defect is. We can estimate the error prob- 
ability at the encipher side as follows. Apparently, the decryption is correct 
if and only if the real Ci never occur before the first x satisfying fs{x) — m' 
is found. That is, for a specific Ci, the probability to successfully restore Ci 
(i.e. the probability to get the correct decryption) via the above decryption 
procedure is 

Generally, assume the bit size of Cj is n (for the original Baptista-type cryp- 
tosystem n — 16) and the chaotic orbit (^o ~^^)} ^ uniform distribu- 
tion, we have: VQ, P {he (f' {4^'^)) = Ci} = 2"", i.e., 

P {fbe {f" {xf^)) ^k®Ci}^l- 2-\ (4) 

Assume fbe [f'^ (^x^^^^^y^ = k (B Ci{k = Nq ^ Ci — 1) are independent events. 

Then, we can deduce ((5^) = (1 - 2"")^'"^". It is obvious that P^ (q) ^ 

as — oo, which means any decryption behaves like a random guess after a 
sufficiently long period of time. 

Considering the non-uniform distribution of Ci, for the first plain-character 
mi, from the total probability rule we can calculate^ the final probability PcX. 

ax 

Pc,i^ E p{Ci = k}-Pc{k) 

k=No 

^max 7„ AT 

= i:p{Q=fc}.(i-2-f-*. (5) 

k=No 

^ Here, assume P{Ci > N^nax} = (see Sec. 3.4 for an explanation). 
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Fig. 1. Pc,i with respect to the position of the plain-character i. 

To simplify the calculation, without loss of generality, assume F{x) visits each 
e-interval with the same probability^ p = 1/S. Then, we have P{Ci = k} = 
p(l -pf-^^ so that 



^ max 

k=NQ 

N m ax— No 

fc'=0 



_ qNmax-No 



1-q 



(6) 



where g = (1 -p) ■ (1 - 2""). When S = 256, n = 16, No = 250, N^ax = 65532 
(values in the original Baptista-type cryptosystem) , Pc,i ~ 0.9961240899211138. 
Considering 1/(1 — Pc,i) ~ 258, we expect that one plaintext with wrong lead- 
ing plain-character will occur averagely in 258 plain-characters. Here, note 
that all plain-characters after a wrong plain-character will be wrong with a 
high probability close to 1, i.e., there exists error propagation. It is obvious 
that the error propagation makes things worse for i > 1: 



' i-l p _ qNmax-No 



Q 



UPc,]-Pc,i=Pl,. (7) 



For the above calculated Pc,i; Pc,i with respect to i is shown in Fig. 1. As i 
increases, the probability decreases exponentially. Once Pc,i goes below 1/S, 
a random guess process will replace the role of the designed decipher. 



^ logistic map does not satisfy this requirement, so we suggest using PWLCM to 
replace the logistic map in Sec. 3.1. 
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2.3 Rectification to the existing defect 

Now, we try to rectify the above-discussed encryption/decryption scheme to 
avoid the existing defect. The goal is to ensure that Vi, Pc,i = 1- 

With a memory unit allocated to store N^ax — A'^q + 1 variables -B[A''o] ~ 
B[Nmax] representing Ci = Nq Ci = N^ax respectively, we propose to 
change the encryption/decryption procedure as follows: 

• The encryption procedure: for the i-th plain-character rrii, firstly set -B[iVo] = 
■ ■ ■ = B[Nmax] = 0, iterate the chaotic system starting from Xq for Nq 
times, set C*j = Nq, and then perform the following operations: Cj = Q © 
fbei^), B[Ci] + +, if the current chaotic state x satisfying fs{x) = rui, 
then a 2-tuple ciphertext (Q, B[Ci]) is generated and set and then 
goto the next plain-character mj+i; otherwise, repeat this procedure until a 
ciphertext is generated. 

• The decryption procedure: for each ciphertext unit (Cj, Bi), firstly iterate the 
chaotic system for A^o times and set Q = No, then perform the following 
operations: if Ci © fbe{x) = Ci for the Bj-ih. times then use the current 
chaotic state x to derive the plain-character Wj and goto the next ciphertext 
unit (Cj+i, Bj+i); otherwise iterate the chaotic system and Ci -\- -\- for 1 
iteration, until the above condition is satisfied. 

In Fig. 2, we show flow charts for the above rectifled encryption and decryption 
procedures, in which B\j\ — means setting all B[j\ {j — Nq N^^ax) to 
zeros, C[ — Nq denotes Nq chaotic iterations and setting to A^o, and CI + + 
indicates one chaotic iteration and increasing by one. 

Compared with the original Baptista-type cryptosystem, this rectified cryp- 
tosystem manages to solve the aforementioned defect with a cost of adding 
more implementation complexity: 

(1) Extra memory is needed to store Nmax — A^o + 1 variables B[j] . When each 
B[j] is stored as a 2- byte integer, the memory size is 2 x {Nj^ax — Nq + I) 
bytes. When N^^ax — 65532 and A^o — 250, it is not greater than 128 KB. 

(2) The encryption speed becomes lower since Nmax — Nq + 1 variables B\j] 
should be set to zero for each plain-character. 

(3) The ciphertext size becomes even longer: B[Ci] is added into each cipher- 
text unit. 

Fortunately, the requirement on extra memory is acceptable in all digital com- 
puters nowadays (128 KB is not so much for a computer with over tens or 
hundreds of MB in memory), and the encryption speed will not be infiuenced 
much when this rectified cipher is implemented in hardware with parallel sup- 
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Fig. 2. The encryption and decryption procedures of the rectified Baptista-type 
cryptosystem. 

port: all Nmax — Nq + I variables B[j] can be set to zeros within a clock cycle 
simultaneously, which eliminates the negative effect on the encryption speed. 
In addition, chaotic iteration can be run in parallel with Cj = Cj © fbe{x), 
B[Ci] + + and fs{x) = mil with pre-calculation and delay design. There- 
fore, the above rectification is quite practical in enhancing the performance of 
Baptista-type cryptosystem. Moreover, the enlargement of the ciphertext size 
can be effectively minimized by some other methods, which will be discussed 
in the next subsection. 



2.4 Minimizing the enlargement of the ciphertext size 



In the rectified cryptosystem, the ciphertext size is prolonged. Some methods 
can be used to overcome this problem. Here, we introduce two of them. 

The first method is to use variable- length ciphertext. For example, we can 
change the ciphertext as follows: 
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• When B[Ci\ = 1 and Nq < Ci < Nmax, output Cj as the ciphertcxt. 

• When B[Ci] = 1 and Ci = N^ax, output {Nmax,Q) as the ciphertext. 

• When B[Ci] > 1, output {N^ax, B[Ci], Ci) as the ciphertext. 

Assume the size of Ci is n. We can calculate the mathematical expectation of 
the ciphertext size, corresponding to one plain-character, as follows: 

(1 - Pe,i) ■ {P {No <Ci<N^,,}-n + P {Ci = N^ax} ■ 2n) + P^.i • 3n. (8) 

Since P {Ci — N^nax} <^ P {Nq < Ci < N^nax}, it can be approximately re- 
duced to 

(1 - P,,i) • n + P,,i ■ 3n = (1 + 2P,,2) • n. (9) 

Generally, ~ Pc,i <^ 1, so it is only a little bit greater than n, which is the 
ciphertext size of the original Baptista-type cryptosystem. 

Another method is to use the compression algorithm suggested in [7, 14] . Since 

both Ci and B[Ci] have exponentially decreasing distributions, it is natural 
to use lossless entropy-based compression algorithms to make the ciphertext 
size shorter. Following the deduction given in [14], assuming that the bit size 
of Ci is n, the average size of the compressed Cj will be n/2. Since generally 
~ Pc, 1 <S 1, it is obvious that the average size of a compressed B[Ci\ will be 
close to 1 from a probabilistic point of view. That is, the average ciphertext 
size corresponding to one plaintext will be close to n -|- 1. 

Actually, we can also combine the above two methods to obtain a better 
solution. Using a compressed C,; in the first method can successfully reduce 
the average ciphertext size to about n/2. 



3 Some general problems of Baptista-type chaotic cryptosystems 
and some corresponding countermeeisures 

3.1 Problems of the logistic map for encryption 

In the original Baptista-type chaotic cryptosystem and all its modifications 
proposed thus far, the logistic map is used as the chaotic system. But the 
logistic map is not a good chaotic system for encryption due to the following 
reasons. 

a) Non-uniform visiting probability on each e-interval. It is well-known that 
the logistic map has a non-uniform invariant density function, which cause 
the visiting probability of each e-interval to be different. Experimental data 
given in Fig. 2 of [1] have shown such a disadvantage, but Baptista [1] did not 
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consider it as a negative factor to security. From a cryptographical point of 
view, this issue indeed is not desirable and may be vulnerable to some subtle 
statistics-based attacks. In fact, such a disadvantage has been successfully 
utilized to design an entropy-based attack by Alvarez et al. in [9]. 

b ) Limits on the control parameter h. It is also well-known that the logistic 
map becomes chaotic when h > 3.5699 ■ ■ ■ and is completely chaotic (with 
the Lyapunov exponent being maximal) only when 6 = 4. To ensure that 
the generated orbit is sufficiently chaotic, b has to be sufficiently close to 4, 
which limits the key space to be a small set near 4. In addition, dynamics of 
the logistic map with different values of the control parameter b are different, 
which may be utilized to develop some new attacks. In [14], we have shown a 
similar defect in the chaotic cryptosystem developed in [15]. 

To avoid the above problems of the logistic map, we suggest using the following 
piecewise linear chaotic maps (PWLCM) with the onto property [16, §3.2.1] 
to replace the logistic map. An onto PWLCM is generally chaotic and has 
the following good dynamical properties on its defining interval X [16-19]: 1) 
its Lyapunov exponent A = IIQII • InjjCijj satisfying < A < Inm; 

2) it is exact, mixing and ergodic; 3) it has a uniform invariant density func- 
tion, f{x) = 1/||X|| = l/(/3 — a); 4) its auto-correlation function T{n) — 

limAr_»oo ^ J2f=o^ixi — x){xi^n — x) approaches zero as n — oo, where x, a 
are the mean value and the variance of x, respectively. A typical example is 
the well-known skew tent map with a single control parameter p G (0, 1): 



Besides the above properties, PWLCM are also the simplest chaotic maps from 
the digital implementation point of view. In addition, some theoretical results 
on a direct digital realization of such maps has been rigorously established [17], 
which are useful for optimizing the implementation of Baptista-type chaotic 
cryptosystems. 

3.2 Problems of the secret key 

In the original Baptista-type cryptosystem, the association map fs also serves 
as part of the whole secret key. But we believe that fs should not be included 

in the secret key from an implementation consideration: it is too long for most 
users to remember. If a secret algorithm is used to generate fs, then the secret 
key will be changed from fs to the key of the secret algorithm, which is easier 
to implement. 




x e [0,p], 

X e (p, ij. 



(10) 
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In [9], the correlation between b and xq has been used to develop some theo- 
retical attacks. To avoid potential dangers, it is advisable to use only control 
parameter(s) as the secret key. 

3.3 Dynamical degradation of digital chaotic systems 

In all versions of Baptista-type chaotic cry ptosy stems, dynamical degrada- 
tion of digital chaotic systems is neglected. However, it has been found that 
dynamics of chaotic systems can easily collapse in the digital world, and the 
dynamical degradation may make some negative influences on the performance 
of digital chaos-based applications [16,17]. Also, dynamical degradation may 
enlarge differences among different visiting probabilities of different e-intervals 
of a chaotic map. 

Therefore, some methods should be used to improve such dynamical degra- 
dation of the employed chaotic system in all Baptista-type chaotic cryptosys- 
tems, which will ensure the visiting probability of each e-interval to be close 
enough to the theoretical value. As we discussed in [16, 17], a pseudo-random 
perturbation algorithm is desirable and hence is recommended: use a sim- 
ple pseudo-random number generator (PRNG) to generate a small signal, to 
perturb the concerned chaotic orbit every A > 1 iterations. 

3.4 A trivial problem when Ci > Nmax 

The original Baptista-type cryptosystem did not consider what one should do 
if Ci > Amax- It seems to presume that Q will never be greater than A^max- 
However, this is obviously not true. Here, assume F{x) visits each e-interval 
with the same probabihty, p — 1/S. We can deduce that 

P{Ci > A^^ax} = P{Ci -No> N^^ - No} = (1 - p)^— -^0. (11) 

Although this probability is very small when A^max is large enough, it is nev- 
ertheless non-zero. To make the cryptosystem rigorously complete, we pro- 
pose to use the following (n -|- l)-tuple data to replace Cj when Cj > A^max^ 

n 

(Amax, • • • , Amax, q) , where the number of total chaotic iterations is equal to 

n 

Ci = Amax X n + Ci. Apparently, (A^ax, ■ ■ ■ , A^max, q) can be represented in 
a more brief format: {N^gj^,n,Ci). When Cj = Ajnax, the 3-tuple ciphertext 
(Ainax, n, Ci) can be further reduced to (Amax, 0). 

In fact, it is also acceptable to modify the original cryptosystem as follows: 
once Ci — Amax occurs, immediately output a 2-tuple data (Amax, ^i) instead 
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of Ci. Considering P{Ci > A^max} is very small, such a tiny chance of infor- 
mation leaking does no harm on the security of the cryptosystem in practice. 
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